Legal and management requirements mean that we must be able to preserve and analyse data generated or processed by MOJ IT systems. The MOJ Forensic Readiness Policy [link to follow] helps us do that.
This document describes how to comply with the policy. It helps you:
The resulting FRPlan can be used for MOJ systems and domains, or by third party suppliers hosting MOJ systems and domains.
To help you get started, this document includes a blank FRPlan template.
A forensic investigation is not just about finding who did the deed, or how. It is also about collecting evidence that stands up to scrutiny. The investigation finds facts, both technical and testimonial, gathers them together, and presents them as a logical argument.
A forensic case includes:
The FRPlan ensures that the forensic investigation builds the case. For example, the investigation:
Each MOJ system or domain must have its own Forensic Readiness Plan (FRPlan). The plan:
The plan should identify:
The OST is responsible for:
The FIO is responsible for conducting the investigation.
The OST and the FIO are together responsible for the integrity of collected evidence.
The IAO or FIO is responsible for reporting progress during the investigation.
Create your FRPlan by using the following template as a starting point.
| System details | |
|---|---|
| System or domain name | This section defines the name of the ICT system or domain. |
| System description and scope | This section describes the name and purpose of the system, including the protective marking level of the information it holds.
Diagrams may prove useful to clarify any complex interactions with other systems. Include details of any part of the system which is excluded from the scope of the plan, for example an application which is managed by another function. |
| Responsibilities and Ownership | This section contains a statement detailing who has:
Where a third-party or managed service provider is responsible for all or just a component of the plan, a clear reference should be made to contractual responsibilities. Any points of contact regarding forensic readiness should also be noted. Include names for each of the key roles. |
| Forensic scenarios | |
| Scenario 1 | This section contains a summary of each scenario developed, with full details provided as an appendix to the plan. |
| Scenario 2 | |
| Process and procedures | |
| Process | This section contains a step-by-step sequence of activities that are followed during a forensic investigation. |
| Procedures | This section contains details about the forensic procedures which should be followed once the decision to undertake a forensic investigation has been made. The procedures are essential to ensure admissibility, in particular collecting and managing evidence correctly. |
| Performance monitoring | |
| KPIs and performance measures | This section contains details about the KPIs and SLAs for the plan. |
| Continuous improvement | This section contains details about the continuous improvement measures associated with this plan. |
| Training and awareness | |
| Capability and staff training | This section contains details about how the necessary staff training measures are implemented. |
| Plan Approval | |
| System manager | The name of the system manager, and the date they approved the FRPlan. |
| Information asset owner | The name of the information asset owner, and the date they approved the FRPlan. |
| System accreditor | The name of the system accreditor, and the date they approved the FRPlan. |
A helpful approach for creating the plan is to think of example scenarios involving security incidents that might require a forensic investigation. The NCSC Implementation Guide provides a useful list of typical incident scenarios.
Example scenarios that might be relevant to an MOJ system could involve:
The following table provides some specific examples of incidents which might require a forensic investigation:
| Incident | Notes |
|---|---|
| Creation or planting of viruses or malware | The deliberate or accidental introduction of malware are a major threat to MOJ information security. Possible problems include system downtime, unpredictable behaviour, or data becoming unavailable. |
| Damage or modification to computer equipment or data | Deliberate or accidental damage to a system might hide unauthorised activity previously carried out on that system. Modifications might include technologies such as key loggers or devices for bypassing normal security mechanisms. |
| Disciplinary issues as a result of inappropriate use of systems | Examples of inappropriate use include: the storage of pornographic or other unacceptable material, email abuse such as spam, connecting systems to unofficial networks, attempted unauthorised access to computer data or programs, or unapproved upload or download of information to the Internet. The acceptable use policy [link to follow] provides more information. |
| Email spam and Denial of Service (DoS) attacks | Internal connections might be used to attack other internal or external targets. An investigation may look for evidence of the tools used by hackers. |
| Financial crimes, identity theft, fraud, forgery, theft of funds, blackmail or extortion | Misusing a system to steal people’s identity for financial or other gain might leave evidence in other systems or devices, for example portable media. A forensic study of disks, equipment, logs and email records, as well as other devices such as mobile phones or non-digital evidence such as printed documents or written notes might provide investigators with the evidence required to prosecute individuals. |
| External attacks | Outside parties, ranging from teenagers acting alone to hostile foreign governments, might attempt to compromise the security of MOJ systems. |
| Internal authorised | Authorised users might abuse MOJ systems by unauthorised or unlawful acts. These could include storage of offensive material, stealing information for an outside agent, providing or selling information to someone external to the organisation, the upload or download of information to the Internet without approval, or internal unlawful file-sharing. |
| Internal to external | Perpetrators might use MOJ system to enable attacks against external parties. Examples could include mass emailing, hosting illicit Peer-to-Peer (P2P) clients for purposes such as music propagation, or launching attacks against websites. |
| Internal unauthorised | Staff members might attempt to circumvent controls to gain access to material they do not have authorisation to view. A cleaner attempting to access a restricted file system would be an example of this. |
| Target systems | If an MOJ system is compromised as a result of a security incident, it might be necessary to collect evidence from the affected system to understand the method and source of the attack. |
| Telecommunications crime and hacking | The use of a computer to attempt unauthorised access to systems or networks is common. A forensic investigation might gather evidence from multiple devices, including router and firewall logs, to establish the source and perpetrator of the attack. |
| Theft of intellectual property or protected data | Unauthorised copying or removal of programs or sensitive data often involves the use of removable disks or other storage, such as a media player. Copyright theft would be an example of such a crime. Forensics can be used to prove a particular piece of equipment was used in such an incident, even if the perpetrator has attempted to cover their tracks. |
The FRPlan should include information to help addressing each scenario that applies to the system. Aim to provide sufficient detail rather than everything, otherwise your plan might be hard to adapt for an actual incident.
For each scenario, include the following information as a minimum:
The workflow does not need to be a detailed list. Most incidents have unique characteristics that can take the investigation in unpredictable directions. A simple ordered checklist can be very effective as a workflow for everyone to understand and follow.
The Forensic Readiness Plan must also consider the Key Performance Indicators (KPIs) and Service Level Agreements (SLAs) for the system. The plan should provide details showing that when it is executed, the plan:
Forensic investigation is often part of a larger incident management activity. The IT Security – Incident Management Policy describes the MOJ requirements for when forensic investigation is part of an incident management process.
The investigation process should also work with the relevant business continuity plan, and in accord with MOJ policy on records management.
Your FRPlan should provide details for each of the activities in the forensic investigation process. Useful examples are provided in the NCSC Implementation Guide. Your plan should make clear who is responsible for completing each activity.
The basic steps are as follows:
In addition, the following actions apply throughout the investigation:
At all times, a forensic investigation must be possible on a system or domain, using internal or external resources. Include details in your FRPlan about the pre-allocation of resources, or a process for obtaining the resources.
The resources required for an investigation should be sufficient to meet capability level 2 of the NCSC Forensic Readiness Good Practice Guide. The actual capacity required for an investigation is determined for each system as part of the accreditation process, defined within the MOJ Accreditation Framework.
Normally, a forensic investigation is done only if any of the following scenarios applies:
A leak investigation is a special case because the investigation tasks might fall outside the normal SIMP. Further guidance about this is available from the Corporate Security and Business Continuity Branch.
To help determine whether an investigation is required, consider the following questions:
When estimating possible damages, it might be appropriate to include thresholds for triggering escalations. These thresholds should be included in the FRPlan.
Your FRPlan should have a process for confirming that forensic work is required.
Legal and regulatory constraints on the MOJ differ from region to region. Conducting investigations in line with MOJ policies helps avoid any problems.
BS 10008 is the British Standard describing legal admissibility of evidence. Evidence captured from an MOJ system during an investigation must meet the standard.
Other legal frameworks and guidance might apply. For example, the National Crime Agency (NCA) expects an investigation to follow Association of Chief Police Officers (ACPO) guidelines to help ensure admissibility.
The FRPlan should include processes for seeking advice from the MOJ legal team and appropriate forensic investigation providers to ensure that evidence collected and managed is legally admissible.
The FRPlan should include details for running each of the two types of forensic investigation:
A proactive investigation is where factors such as the appropriateness, legality, and costs have already been assessed and accepted by the relevant business unit or risk owner. A characteristic of a proactive investigation is that forensic monitoring is already in progress as part of a planned MOJ security control.
A reactive investigation takes place after an incident is reported or identified. Before the investigation starts, several factors are evaluated, such as:
Unless the investigation is required by UK law or requested by UK law enforcement, you must do three tasks before starting the investigation:
Your FRPlan should have a process for completing these three steps.
The MOJ must be able to resume or continue working as soon as possible after an IT security incident event. This means that a forensic investigation should try to avoid impeding restoration of services. Ideally, the investigation helps support the restoration of IT services.
For example, a forensic investigation might require removal of hardware. Therefore, the investigation process should include provision for replacement hardware as part of removing the original equipment.
Your FRPlan should ensure that business continuity is maintained as much as possible throughout the investigation.
Digital evidence is surprisingly ‘fragile’. It must be handled extremely carefully to remain admissible. The forensic investigator or other qualified individual must check before capturing and storing evidence that the methods proposed are acceptable and comply with the Legality requirements, and in particular comply with BS 10008.
Anything done to evidence material must be recorded, including the details of what was done, and by whom.
In practice, the task of collecting and managing evidence is likely to be split between the MOJ, service providers, or external forensics providers. The methods used must still comply with the Legal admissibility requirements and with BS 10008. Throughout the investigation, evidence materials must be under the control of the Forensic Investigation Owner, who has responsibility for the material.
The MOJ has a set of four principles for collecting forensic evidence. They are based on ACPO guidelines.
| Principle | Detail |
|---|---|
| Preservation of evidence | The integrity of the original evidence must be preserved, by having enough sufficient security, legal advice, and procedural measures. Any processes applied to copies of evidence must be repeatable and achieve the same results. The FIO is responsible for all aspects of the collection and management of evidence during an investigation. |
| Aptitude for the task | Any task in a forensic investigation must be conducted by someone suitably trained and competent to carry out that task. |
| Documented methodology | A forensic investigation must follow the process documented in the FRPlan. An audit trail is created as evidence is collected. The result is a preserved chain of evidence. The chain demonstrates where evidence has been stored and who was responsible for it, for each stage of the process from capture to presentation. Other investigators repeating the processes get the same results. |
| Conformance to MOJ policies | All forensic investigations are conducted in a manner that complies with all MOJ policies. This includes corporate policies, security policies, and the Acceptable Use Policy [link to follow]. |
An active system can very quickly damage or delete evidence. While each system will require specific steps for preservation of evidence when it is active, as a minimum the following list should appear in the FRPlan:
A powered-off system is unlikely to damage or delete evidence. While each system will require specific steps for preservation of evidence when it is powered off, as a minimum the following list should appear in the FRPlan:
Confirming that a system really is powered off can be very difficult. A computer that is apparently off might be in sleep mode and could still be accessed remotely, allowing the alteration or deletion of data. Similarly, some PC ‘screen saver’ applications can give the appearance that the computer is switched off. Seek expert help to determine the power status of a system. Be aware that some systems such as laptops will ‘power up’ in response to an event such as opening the lid.
If at all possible, a system should never be moved before the qualified forensic investigator arrives. However, to allow for the possibility that a move cannot be avoided, as a minimum the following list of steps should appear in the FRPlan:
Ensure that your FRPlan has details and processes that:
When no longer required, equipment, information, or other evidential items must be disposed of securely and in compliance with the record retention and disposition schedule. Do this by following the ICT Security – ICT Asset Disposal Guide.
Ensure that the FRPlan has the details and processes to ensure timely and suitable disposal of materials that are no longer required.
Reporting is essential during an incident and subsequent investigation. A major incident might require external (non-MOJ) reporting. The FRPlan should include details and processes for communicating with generic and specific external audiences that might be included in the reporting structure or escalation path.
Consider the impact of any external reporting or escalation on day-to-day operational work. The investigation process needs to allow for the chain of evidence to be passed to outside agencies, such as law enforcement.
The FRPlan should include details of who get reports, and processes for collecting and delivering the information to present to them. The FRPlan must be consistent with the reporting structure included in the SIMP. The FRPlan should also identify a single point of contact to coordinate the communications with people interested in the forensic investigation. This person is normally the FIO.
Internal reporting and communication must meet two objectives:
Bearing these in mind, reports normally go to:
Major incidents often require communication with external bodies, such as:
As work progresses, significant issues might be identified, or something might go wrong. In that case, it might become necessary to escalate to a wider or more senior audience.
The IAO or FIO is responsible for decisions about escalating or increasing the audience for reports. If responsibility for an investigation was escalated to the DSO or SIRO, they decide who gets the reports and will also decide on further escalation if it is appropriate.
The FRPlan should include details of the escalation path options. In particular, define clear roles and connection points to help speed up response.
Everyone using an MOJ system should know that their access and use is monitored. This awareness includes an understanding that forensic techniques might be used to capture evidence as part of an investigation. The FRPlan for a system should describe how this awareness is provided.
More generally, ongoing MOJ security awareness training should include forensic readiness awareness, and ensure at least annual refreshment for all staff on the current policy and procedures. This includes the communication of any required incident response procedures to ensure admissibility of evidence.
For those with specific roles identified in the FRPlan, more in-depth forensic readiness training may be required. The FRPlan should include details for providing the necessary training.
To ensure that the plan remains relevant, effective, and efficient, it should be reviewed annually and updated if appropriate.
As a minimum, the following plan information should be reviewed: